Recon Village - DECEPTICON
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Subtitle |
| |
| Alternative Title |
| |
| Title of Series | ||
| Number of Parts | 335 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/48772 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 27268 / 335
8
9
12
14
32
38
41
58
60
61
72
75
83
87
92
96
108
115
128
132
143
152
158
159
191
193
218
230
268
271
273
276
278
295
310
320
321
335
00:00
Information securitySocial engineering (security)FlagMotion capturePasswordRoyal NavyElement (mathematics)Authoring systemBlogMetropolitan area networkWave packetFreeware19 (number)FlagSocial engineering (security)Hacker (term)Process (computing)InformationMotion capture2 (number)Element (mathematics)PasswordWordLevel (video gaming)Object (grammar)Computer animation
01:05
Presentation of a groupEncryptionSocial softwareIdentity managementData managementPasswordIdentity managementLevel (video gaming)BitPerspective (visual)Multiplication signHypermediaOnline helpState of matterProcess (computing)Computer animation
02:00
InternetworkingSocial softwareObservational studyProduct (business)InformationSineSocial engineering (security)InformationMultiplication signMedical imagingComputing platformMassObject (grammar)Reflection (mathematics)VotingProfil (magazine)Software frameworkType theoryVertex (graph theory)Uniform resource locatorHypermediaRamsey theoryNumberOffice suiteBlock (periodic table)Logic gateSource codeInternetworkingDigital photographyInteractive televisionWebsiteReverse engineeringBit rateComa BerenicesFerry CorstenGoogle Street ViewRoundness (object)EmailLink (knot theory)Computer fontGoodness of fitMetadataRandomizationMappingComputer animation
05:44
InformationInformation privacyCryptographySlide ruleSingle-precision floating-point formatVotingSource codeRight angleReal numberComputer animation
06:25
IP addressWeb crawlerProfil (magazine)IntelSlide ruleMoment (mathematics)Coma BerenicesBitDigitizingPoint (geometry)WebsiteError messageAddress spaceInformation privacySheaf (mathematics)Software frameworkMultiplication signFeedbackFood energyPerspective (visual)Bookmark (World Wide Web)MappingDampingEmailExploit (computer security)Zuckerberg, MarkOnline helpKey (cryptography)Pairwise comparisonWeb 2.0Type theoryLevel (video gaming)Computer animation
08:40
InternetworkingFamilyInternet forumSocial softwareInformation securityOvalGoogolMultiplication signForm (programming)Hand fanBuildingBuffer overflowStack (abstract data type)Address spaceQuicksortFamilyMetropolitan area networkActive contour modelScheduling (computing)Different (Kate Ryan album)Term (mathematics)NumberArmEmailRadio-frequency identificationOrder (biology)WebsiteInheritance (object-oriented programming)Process (computing)2 (number)Group actionPhysical lawHypermediaInternetworkingPoint cloudInternet forumMathematicsCuboidPoint (geometry)Profil (magazine)Sound effectBitEvent horizonString (computer science)Computer animation
13:36
Social softwareInternet forumWhiteboardGoogolClient (computing)FamilyInformationIdentifiabilityTwitterCausalityComputing platformMetropolitan area networkProcess (computing)Term (mathematics)Uniform resource locatorDemosceneHypermediaMereologySolid geometryMathematicsProper mapData managementNeuroinformatikMultiplication signSoftware bugNatural numberReverse engineeringSearch engine (computing)Shared memoryWallpaper groupMedical imagingTransport Layer SecurityIP addressDifferent (Kate Ryan album)WebsiteOvalClient (computing)MyspaceFormal languageDialectSlide ruleResultantIntegrated development environmentInformationFacebookAddress spaceEmailPressureProfil (magazine)AreaTurtle graphicsIntelFamily2 (number)Goodness of fitWeb pageSpacetimeCellular automatonWechselseitige InformationVideo game1 (number)CircleWeightMultitier architectureBlogOpen setForm (programming)Computer wormRow (database)Computer animationComputer animation
22:07
InformationSocial softwareComputing platformInformation privacyContent (media)User profilePasswordGoogolInformation securityMaizePasswordFamilyProfil (magazine)FacebookExpert systemStorage area networkComputing platformTurtle graphicsRow (database)Information privacyNetwork topologyQuery languageFlow separationNumberGroup actionColor confinementLoginString (computer science)Set (mathematics)Social engineering (security)Shared memorySign (mathematics)Arithmetic progressionSystem callDatabaseCircleGoogolAuthorizationResultantComputer clusterComputer animation
25:13
Mobile appSocial softwareTwitterLinker (computing)WebsiteEmailHand fanUniform resource locatorTouchscreenService (economics)Term (mathematics)NeuroinformatikData miningMultiplication signAddress spaceSoftwareVideo projectorStapeldatei1 (number)Computer fileError messageMeta elementWeb crawleroutputComputer animation
26:43
Bit rateEncryptionRamificationGroup actionGeneric programmingComputerBit rateMultiplication signBlock (periodic table)Website2 (number)Configuration spaceChainHypermediaFunctional (mathematics)Artificial neural networkVideo gameAddress spaceRoboticsChord (peer-to-peer)Goodness of fitFrequencyCryptographyDegree (graph theory)Product (business)Matching (graph theory)Virtual machineGame theoryComputer fileNeuroinformatikLevel (video gaming)Category of beingIP addressInternetworkingProcess (computing)PasswordIncidence algebraFamilySet (mathematics)EmailEncryptionInternet service providerTraffic reportingRight angleHidden Markov modelProbability density functionFile formatPhysical lawWave packetPersonal computerLimit (category theory)Computer animation
31:01
Sound effectProjective planeObject (grammar)Arithmetic meanTerm (mathematics)CuboidInformationComputer animation
31:39
Vector graphicsDependent and independent variablesOrientation (vector space)GenderSystem identificationReal numberPosition operatorQuicksortProfil (magazine)State of matterGrass (card game)Video gameLink (knot theory)Web 2.0Bit rateSlide ruleCASE <Informatik>BitBlogComputer animation
32:52
InternetworkingBlogLink (knot theory)Slide ruleWeb 2.0BlogDisk read-and-write headData structureLink (knot theory)Information securityGoogolInternetworkingComputer animation
33:25
Computer fileInternetworkingGoogolVirtuelles privates NetzwerkExtension (kinesiology)Web browserVulnerability (computing)Data managementPoint cloudData storage deviceAlgorithmStandard deviationModal logicVulnerability (computing)Data managementCybersexExpressionSlide ruleOrder (biology)Web browserExtension (kinesiology)Boss CorporationComputer animation
34:03
InternetworkingEmailComputing platformSocial softwareMobile appAddress spaceCloud computingInstance (computer science)Axiom of choiceReal numberMultiplication signHypermediaOnline helpMobile appSound effectPosition operatorArmKey (cryptography)Point cloudScripting languageEmailAddress spacePhysical lawComputer animation
34:53
Open setWeb browserAcoustic shadowProxy serverVirtuelles privates NetzwerkSound effectTransport Layer SecurityIPSecType theorySocial softwareEmailToken ringLink (knot theory)Sound effectSoftware repositoryPoint cloudInstance (computer science)DigitizingPhysical systemFacebookLevel (video gaming)EmailService (economics)Internet service providerType theorySoftwareoutputKey (cryptography)Scripting languageRootCloud computingAddress spaceToken ringPhysical lawRevision controlAbsolute valueCharge carrierComputer animation
36:13
Web browserAddress spaceInformationWindowWeb browserOffice suiteLink (knot theory)HoaxWebsiteCausalityFacebookNumberMultiplication signFamilyComputer animation
37:25
EmailNumberSocial softwareLevel (video gaming)InformationCategory of beingNumberRoutingMobile appRow (database)Level (video gaming)Multiplication signSystem callElectric generatorCASE <Informatik>Information privacyGoodness of fitHypermediaComputer animation
38:40
Traffic reportingNumberSocial softwareSteady state (chemistry)Form (programming)HypermediaAbsolute valueInformation securityPhysical lawRow (database)Multiplication signWeb pageExecution unitVideo gameProcess (computing)Personal identification number (Denmark)Metropolitan area networkComputer animation
40:08
Interactive televisionEmulatorComputer networkStreaming mediaElasticity (physics)Intrusion detection systemWordFingerprintHacker (term)Set (mathematics)Programming paradigmFormal grammarFlagTwitterStatement (computer science)Information securityInformationFacebookDiscounts and allowancesFreewareProcess (computing)Multiplication signHacker (term)Public key certificateInformationComputer animation
Transcript: English(auto-generated)
00:00
Okay, everyone, let's get started with the next session. Uh, we've got Joe Gray, he's a hacker and social engineer. Uh, Joe is the co-founder of, uh, I'll read this again, uh, Through the Hacking Glass, which provides free mentorship and training for info secers. And Joe's gonna be talking about deceptive techniques to derail our zint technique attempts. And over to Joe. Thanks very much. Thanks, can everybody hear me okay? Cool. Um, so,
00:26
welcome to Decepticon. Uh, about me, I'm a senior security architect, um, 2017 DerbyCon social engineering capture the flag winner, um, 2018 and 2019, uh, NOLACon OSINT CTF, um, we got
00:43
third place on that, uh, the password inspection agency, uh, second place this year besides Atlanta, uh, Forbes contributor, and, uh, I'm also in the process of writing a social engineering and OSINT book, uh, with no search press tentatively titled securing the human element. Um, so, and, uh, I've started doing some OSINT training, uh, I'll give you some
01:03
more details on that at the end. Um, so basically, uh, what we're gonna talk about, we're gonna talk about where OSINT comes from. So we're gonna start at a very ground level. This may be a little bit basic for a lot of you. Um, and then we're gonna kind of explain tools and techniques that may be used, uh, because we're looking at this from a personal OPSEC perspective, but at the same time, we're going to kind of
01:24
incorporate some business perspective into it as well, just because at the end of the day, we're supporting a business as well. Um, we'll talk a little bit about online deception, time permitting, we'll talk about, um, decoys and canaries, a little about, a little bit about encryption, uh, social media and, uh, identity
01:42
management, not to be confused with identity and access management. Um, if you need help with your identity and access management, uh, I, per this badge, I am a state password inspector, I will inspect your password after the talk out in the hallway. So, I've got a badge, so it's perfectly legitimate too. So with OSINT, um, this definition is derived
02:04
from, uh, the CIA's resources. Um, love them or hate them, uh, they do come up with some really good PR friendly, uh, definitions at times. Um, so basically, where are we getting it from? Well, of course, the internet, that's, that's pretty much the given, but at
02:20
the same time, we've got things like, uh, mass media. Um, those of us in the United States and even some people abroad, um, in the 90s, uh, the Jambodie Ramsey, uh, murder. A lot of people, I've actually heard this, I don't, I have no insider knowledge, uh, to this, but I've heard people say that, uh, the reason that happened was her dad
02:44
owned a company and got a round of funding and there was something in the newspaper about it and there's suspicion that it could have been, um, kidnapping gone wrong. Don't know, I was very young when that happened, but that is a scenario of if you put something in
03:00
the media, whether it's a press release, a newspaper article or anything, you, you are letting someone know that you are affiliated with something, something has happened, you've gotten a round of funding, uh, somebody's bought your company, uh, your company filed for bankruptcy, um, your company's, uh, chief financial officer is ugly, who knows, I mean, there's all kinds of things you can find from that. Um, but then
03:24
specialized conference, uh, proceedings, journals, all that fun stuff, that's more for the academic community, so like if you present for like ACM or IEEE, you have to submit a formal actual paper, not just an abstract and an outline like you do for most conferences. With that, there's information on there, affiliations, email addresses,
03:42
sometimes phone numbers, sometimes the source of the funding, which gives me, as a social engineer, a pretext to have an excuse to call you or email you. Um, photos, of course, you've got the metadata of the photo, um, including if it's taken with a phone and not put through social media or a scrubber, uh, it could have latitude, longitude, type of
04:03
camera, uh, pixel count, horizontal, vertical, uh, front camera, back camera. Um, if you want to test this out, have someone take a random picture and email it to you and then just view the info for it. Uh, you could put it in an EXIF tool if you would like. Um,
04:21
if you go to OSINT framework dot com, there are, uh, links to OSINT, or I'm sorry, EXIF tools that you can actually upload the picture and it'll look at it for you as well. Um, also with photos, you've got the ability of reverse image search, um, and sometimes like with what Josh Huff demonstrated at Derby Con a few years ago, it's not what
04:41
the photo's telling you, it's what's in the reflection of the photo because someone had taken a picture of a gas pump and in the reflection was a car and he was able to trace it to the type of car, the general location of it, and so forth and so on. So he could have went way further with that than he did. Um, mapping and geospatial information, uh, before I do any social engineering engagement, I tend to do what I like
05:03
to call, uh, taking a stroll around the block and that's just hopping on, uh, Google Maps, Bing Maps, Street View, Street Side, and I go and I look. There are other sources as well, but these are like your two most basic and I'll try to find out, hey, is there a gate? Do they routinely leave this gate hanging open? Who's the company? Because I
05:24
frame a lot of my stuff from, for social engineering. Um, and then from there, of course, social media and then within social media, I'm going to go ahead and lump in dating sites as well. Um, just because there are inner, um, interactions between your
05:40
social media platform and your profile on a dating site. So where do we gather it? Seeing as I did seven years on a submarine, this is probably one of the most ironic pictures I've seen and it perfectly describes the dystopian society we live in that we would rather view the world through the lens of what this single source of information is
06:01
telling us instead of just opening the door and seeing the world for what it is. And I mean, if we wanted to go and have the same talk down in the voting village, we could do the same thing and talk about people's opinions are skewed based on what they're seeing there and that's skewed based on algorithms and bias. But we're not in the
06:20
voting village, we're not in the crypto privacy village, so we'll, we'll leave that right there. So if we want to look at major resources, um, the slide used to have Intel techniques.com. Uh, let's take a moment and have a moment of silence for, uh, the tools section of Intel techniques.com and Pipple. It was a great moment of
06:40
silence. Uh, but anyway, uh, OSINT framework. Uh, so leading into the TraceLabs missing person CTF, I taught two four hour sessions leading into it, uh, to help people out, uh, based on feedback from judges, like what frustrated them with submissions to get better quality submissions. And as a byproduct of that, um, the
07:00
majority of our time, uh, when dealing with tools was actually OSINT framework.com. I had people come in with API keys and be ready to use tools like recon NG, data exploit, the harvester, things like that. But honestly, OSINT framework scratch the itch for the majority of things we were looking for. And for itches, it didn't scratch and the tools couldn't scratch. There's always our good friend, uh, my favorite advertising
07:24
firm, Google. Because let's face it, they're an advertising firm that dabbles in security and email. I said it. I used to say they were the evil empire and then Mark Zuckerberg said, hold my beer, watch this. And then he bought Instagram. Uh, but anyway, with
07:43
these tools, um, I mean, I hear there's some affiliation with data exploit and the specific village. Um, just a slight one. Uh, but for the personal OSINT perspective, uh, of the tools I'm listing here, honestly, spider foot, data, sploit and onion scanner, the three that you're going to look at for your personal profile solely on the
08:05
fact of recon NG. It has some capabilities, but that's more for looking at data breaches. Um, you can actually do stuff with your IP address with your email address. It's a little bit more meaningful, um, out of data sploit onion scan. That's just going to
08:23
compare public SSH, um, keys with like dark web type stuff. Um, it's meant as a privacy tool, but it's just like in map. It's just like meta sploit. It's just like a hammer. Is it a tool or a weapon intent? So when we gather it, where can you get it? Well, this
08:48
is a little bit of a mystery at times. A couple of years ago, I was in a department store around Christmas time and I heard a man on the phone giving a 16 character string that was purely numeric, starting with the number four in the middle of the mall. I was busy and
09:03
on my way to get something or else I was stopped and asked him to repeat it that I missed the last four and I could have probably went ahead and asked for the CVV as well. But anyway, um, bars, that's a hotspot. I was at a conference in Orlando last month and I was approached, I had changed clothes, was not wearing a badge, was
09:23
not with anybody from the conference. I was approached by someone that some people in the US may consider hostile, um, in terms of country wise, um, asking me how the conference is going and ask if I'm willing to teach them about technical security. Fortunately, I had
09:43
populated my calendar with all my events here and because I use three different email addresses for the calendar, everything was duplicated twice. So I just went scrolling. I was like, Oh no, sorry. I'm booked through the end of the year. But anyway, I go inside. There's some people from the conference sitting at the bar. They're all coworkers. They're
10:00
talking shop and guess who's sitting right behind them. So, and even after I told them, Hey, these people are probably listening to you. They hadn't even drank that much. They weren't even drunk and they still wouldn't shut up. So I rage quit and went to my room. Anyway, uh, who in here does not have a social media account whatsoever? It's bad. And
10:29
we'll talk about that in a minute. But even if you don't, I'll go ahead and hit the segue to that. Your family, your friends, your coworkers, siblings, children, parents, cousins, somebody's bound to have it. I hate to break it to you, but the Zuck already
10:44
knows you. You're already in his algorithm and we'll get to that. The other side of that, uh, shortly, um, I like back windshields. The number of times I've almost crashed my car, trying to take pictures of back windshields, outweighs the number of times that I drive my car safely. But Tennessee has now passed a hands-free law. So I've got to find
11:05
a way to get Siri to take the picture while I'm driving. I'm going to have to get a windshield mount too, but that's going to change my threat profile because now people are going to think I've got a GPS hiding in the glove box and then they're going to break it. But anyway, on the internet, additionally, um, forums, that's a hot spot at times. It
11:29
tells me, uh, as an OSINT investigator that's trying to build rapport with someone, hey, you're interested in this or you have to do this. If I see that you live in Canton, Ohio and you're a huge fan of Python, I look in forums, you're asking questions, you're
11:46
getting into heated debates on stack overflow. I find your GitHub. It's all Python. And I see Canton has a Python users group. I can go easily build rapport with you, various ways to do that. And then I can ease at that point. I've entered your bubble. Anything could
12:05
happen from there. If I wanted to go hard, I could dox you. I could try to, uh, do some sort of extortion, something to that effect. Uh, or if I were trying to cause physical harm, get you to build trust, schedule a Python get together, uh, go into the snake
12:23
exhibit at the zoo and then coincidentally unleash a Cobra or, um, uh, another snake, maybe a pit Viper to kill you. If I wanted to do that, I'm terrified of snakes and there's no
12:40
reason to be terrified of iguanas to be honest. Uh, but anyway, resume sites, same thing. Um, indeed is a great place for that. You don't have to register as an employer to go searching resumes on indeed. So to kind of transition out of the opposite thing for just a second, if you're doing reconnaissance against a company, search for that company on indeed
13:03
resumes and see what kind of technologies they're using. I mean, the resumes may not be up to date, um, but it's giving you an idea at some point in time, the following was used. Then you could pivot to LinkedIn and find some people to corroborate that for you because everyone's the vice president of something on LinkedIn. Let's just face it. And LinkedIn
13:24
is not meant to be a pump, but people keep pumping data in there instead of filtering it. I don't know why. Anyway, um, we've already discussed like social media and dating sites. So more of the where, you know, we got the Google food going on. Um, Google's
13:40
really solid for that, but don't put all your eggs in the same basket either. You've also got DuckDuckGo, you've got Bing, you've got other search engines. If you're looking for things in certain countries, you might need to use the regional search engine for that area. You may need to even change the language setting on your computer to get the results. So that's something to consider. Uh, from there as well, um, Google
14:06
The other thing that it's worth mentioning on the slide would be review sites like Trip Advisor and Yelp. Again, that's telling me a lot about you. I know based on this, that you were in New York City on February 33rd and you ate at this Italian restaurant and you
14:24
thought it was hot garbage. I know that you stayed in this hotel on March 52nd and the hotel was in Las Vegas and you walked into the room and it hadn't been flipped and the manager called you a liar so you said that they had bed bugs. It wasn't Vegas and it
14:43
wasn't March 52nd but that may have happened in Atlanta. I created a proton mill just for that. Anyway, so collecting. You know, at the end of the day, you need to build a dossier on yourself. And there's two ways you need to go about doing this. Do it yourself and then phone a friend. Uh, back in the glory days of the Intel
15:03
Techniques forms, uh, it was routine. I heard Michael talking about this on the podcast all the time. Pair up with someone, they investigate you, you investigate them, share the findings, remediate. Since I am not sure about the, uh, status going forward of the forms, um, if you need to do it, there's always OpenOcent, um, I think it's
15:25
OpenOcent.team, I don't recall the URL. I'm sure someone in here has the correct answer. Uh, but anyway, find someone you trust. If you're not even, if you're not there, then, um, just go on Twitter, hashtag Ocent. Hey, I would like to know about my, uh,
15:40
personal dossiers. Would anyone be willing to collect some Ocent on me and share it? There's nothing wrong with that. I mean, for people who are up and coming and people who want to keep, uh, sharp on the topic that don't get to do it as often as they would like, they're going to jump at this opportunity. And you never know, even if you
16:00
have a noob offering to do it, they're going to search a completely different way than other people sometimes. And as a byproduct of that, they're going to find things that someone seasoned may not find. It's just the way it is. They may enter their search criteria different, nothing wrong with that, but you know, they, of course, the
16:22
picture, the, the picture and your likeness. That's why I use that green caricature face on Twitter. People think I'm an old man with a porn stash that I show up baby faced or with a beard. And in my thirties, like you're a lot younger than I expected. Thanks. Get another disinformation works. Um, but also your location, your
16:45
location in terms of where you live, where you work, where you travel to, how often you travel. If I wanted to wreck someone's life, I would find out their employer. Initially I'd start calling, then emailing, then start blasting them
17:05
on social media. I'd make up something absolutely atrocious. I might even go in myself or have someone else go in and cause a scene because eventually the employer is probably going to have enough. At that point, they're probably
17:21
going to let the person go. When they let them go, I mean, future employers are going to call them for a reference. And that reference is probably not going to be pretty. They may say, Hey, this person's got a really solid work ethic, but boy, do they bring some baggage. Um, usernames and handles show of hands who uses the same
17:41
username or handle across all platforms. I know you do Zach already checked for you. It's part of your DEFCON groups, background investigation. Anyway, um, that's actually a threat in and of itself as well, because if you do this and you don't
18:05
apply proper disinformation tools, like what's my name, uh, or profiler or name check, you can go and drop that username in and identify every single website that that username is used on. I had a few people that were on Twitter that
18:21
volunteered for this. Um, Adrian Sanabria, who I'm co-presenting with at two 30 today in the red team village. He was gracious, gracious enough to allow me to do it. And I thought I came across some really juicy stuff. There were a few porn sites there. I was like, this isn't an Adrian I know. Nope. It was someone else who uses the same
18:40
handle in Spain. Another person that volunteered, uh, shout out to the blue team village Munin. He agreed to, I may have called him a few bad names because he went across all platforms, created accounts and populated with pure garbage. I wasn't able to
19:02
get anything on him, anything of any value. The only thing I knew was legit was Twitter. That's it. What about pesky MySpace? Who here still has a MySpace they've not deleted? I know you do, Eric. I was doing some 1099 work for no before. Um,
19:23
you're welcome for the background investigation. It is, um, I don't know why you picked out that Celine Dion song to play when people go to your page though. Yeah, your heart does go on. Uh, but anyway, the employers or clients, if you're in business
19:42
working for yourself, instead of calling and doing things with your employer, you can easily run disinformation and destroy the whole client environment. Betray the clients trust. If I don't trust a business, I won't do business with them. That's why you always see me writing in a lift, not an Uber. I'm sure there'll be a time that I
20:03
don't trust either and I just have to flip a coin. But until then, there we have it. Um, friends, family, lovers, it's just nature of the beast. Someone's bound to have anything. Uh, I was doing an investigation. I was looking for someone, um, and I was
20:20
told that I don't remember where it was. I'll just say Indonesia. I was told they were in Indonesia. Here's the URL to their Facebook. I go digging and this account was like a total ghost. So I went searching for accounts of the same name. I found another account, one mutual friend. I go looking through that mutual friends pictures. That mutual friend is
20:42
smooching very passionately. I might add with the person who I was looking for who was on a different account. So then I found this other account and I was able to identify, oh, they just checked in at this place. Where are the locations of this hotel? Cause it didn't say the city and I clicked it and it didn't work. So, oh, well they're in all
21:03
these places. Let's do a reverse image search for some of this tacky hotel wallpaper. Cause can we, can we all agree that hotels use some really tacky wallpaper? And I mean, I'm a terrible artist. I can't trace a dead cat, but I think I could probably get a high paying job creating art for hotel rooms. Just being honest. But anyway, any other
21:26
personally identifiable information that's out there, depending on where you are in the world, that definition changes. For example, in Europe, based on GDPR, that would be considered your email address or maybe even your IP address. What are your interests,
21:40
likes and dislikes? What causes are you passionate about? Are you a staunch supporter of the EFF? What are your thoughts about the inhabitant of 1600 Pennsylvania Avenue? Please keep them to yourself. My blood pressure is already high today. So political
22:01
affiliations, what, what is your political affiliation that can play into things. With the social media, look at the platforms they're using. That's going to be generational as well. This younger generation, they're all about what's instant. So Snapchat, Instagram, selfie here, a selfie there. Oh, look, I had a bowl of snapping turtle stew for
22:24
dinner tonight. It was delicious. Vomit face. What's their sharing profile? By sharing profile, I mean, privacy settings, and how much do they overshare? There's a debate group I'm in on Facebook, and someone got bored one day and created personality
22:43
profiles for several people we had observed in the group. And there's one that's called a number 17. And that's a chronic overshare. It doesn't matter what you say, they have a story to go with it. And they are the authoritative subject matter expert on it. But
23:02
anyway, password reset questions. I look at your relationships. I see Oh, look, there's their mother. Let's go back. Oh, mother listed their maiden name. Let's go. Let's go corroborate this on something like family tree now or true people search. Yep, checks with chart. Let's do a password reset. For anyone that's wondering, my mother's maiden
23:22
name is a 16 character string. And she's one of the few women I know who's maiden name actually has the pound sign in it. Crazy. I don't know what my grandparents were thinking when they were able to legally change their last name and not have a public record of it. But hey, you know, and then who in here likes to do those dumb
23:44
quizzes on Facebook about like, what's your pro wrestler name? I like them too. I love them. Um, but with Google, you've got to you've got to employ things like innovative thinking when you're going across your searches. So Google being dubbed to go all of
24:01
this innovative thinking, be creative, don't confine yourself to just saying what you want. The three resources I've listed two of them are cheat sheets, one from sans one from alien vault, the other is the Google hacking database. That's going to help you construct specific queries to find what you're looking for. Bless you very much in the back. But
24:22
anyway, you want to have the search because it's not necessarily the question you ask, it's how you ask it. So when I'm doing face to face social engineering, one of my favorite questions to ask is what was your mother's what was your mom's name before she was married? I said nothing about a maiden name. I guarantee you I can go right outside
24:42
that door right now and within a minute probably get somebody to actually tell me something. I'm not gonna I wouldn't sit and validate it. But the fact that they would actually give something is kind of alarming, especially if we went down to the casino and did that to people not wearing these little circles, it would probably be a lot more effective. And depending on where you are in the country, like if you're in the
25:05
south, who's your mama's people? Who's your mom and them? Say stuff like that. You're in. So again, just to reiterate the gold mines, these are the ones that I have had the most success with. And the one on here that I've had the absolute most success with is
25:23
Instagram. I know you work at projector company, Inc. I go look up projector company Inc's mailing address. I input that into Instagram. As a byproduct, I now see every post that
25:40
was put up at that location with location services turned on. I challenge you this. When you get some time, pick a fortune 500 company. I like the fortune five to be honest. And from there, put in the address of their headquarters. See how many times you have to scroll down before you find a badge. It's alarming. I can tell you that there is a very large
26:08
fortune one company who their employees have blue badges and their execs have yellow badges. I can tell you there's a lot of Arizona Razorback or Arkansas Razorback fans there because someone took a picture of his sports ball swag behind his computer screen while his
26:25
computer was unlocked. That corroborated a lot of things that I found using meta crawler in terms of software that was used in files published on their website. So Instagram, it's
26:41
the new OSINT. But when we think about this, we have, you know, there's some defenders in the room, we got to look at some mitigations. Let's go ahead and throw in some buzzwords. Well, there's some blockchain synergy, artificial intelligence, machine learning mitigations, advanced persistent mitigations. Yeah, military grade, rate limiting, I
27:11
should not be able to try to reset your password 45 times in three seconds. I can't type fast, but even if I could, that's pretty darn fast. With the canaries and deceptive
27:22
technologies, this is more of a corporate thing. But employ this with the with the rate limiting. I mean, if you have a personal website, it'll work. Same thing there. Look at your configuration. Don't let your hosting provider just do the wizard for you. Deceptive technologies, you may be able to do some things with that as well. I have an email
27:41
address that I've got published all over my website. And I love it when I get these invoices for products that I shipped or that was shipped to me that I have no no knowledge of, especially when it's in very poor English, coming from somewhere that doesn't match. And for whatever reason, this attachment's a dot exe, but it claims to be a
28:03
PDF. Hmm. I don't know how that works. That must be one of those new file types. Okay, I was thinking it was probably one of those new Microsoft ATP functions. Who knows? But anyway, it doesn't matter where you are, segment things, segment your personal life from
28:25
your work life. Don't work on personal crap on your work computer. Don't work on work stuff on your personal computer. That's containing your profile, it's protecting your business, but it's also protecting you. If you're in the US and you're working on your personal things on your work computer, not only are you consenting to being monitored, but if the company decides to pursue you in court and say that's our
28:43
intellectual property, you have no leg to stand on in civil or criminal anything, period. Uh, encryption to a degree is going to help this. Just because it's on the internet doesn't mean it needs to be unencrypted. You know, we can say crypto without saying currency. We can say crypto and add graphy to the end or gruffy. But anyway,
29:12
minimize the data, opt out when you can. If you're planning any international travel, like say to Europe, uh, there's a cool little hack you can do. Uh, I'm not sure if this
29:23
would work if you just did a VPN to, uh, the EU, but it will certainly work if you actually are physically in the EU. Um, just opt out of everything. Use the GDPR right to be forgotten. If the company fails to do so in a timely manner, uh, they could be fined up to 4% of their global annual revenue. So when I went to hack in Paris this year,
29:46
you know, France is in the EU, um, as soon as I got that IP address, I already had everything staged. I spent some time the weeks leading in. I was like, I'm going to opt out of some stuff, like especially the really pesky stuff that doesn't have a clear, easy process, but opt out when you can train your people, train your family, how to report
30:07
incidents. I mean, if we're talking about this at a home in a home setting, aside from Zach, I don't know anybody who has a C-cert in their house. I just don't. Um, if you
30:24
have something suspicious, some, some weird contact, how are we going to handle this? Do we report this to law enforcement? Do we report it to social media? Do we try to get it taken down or do we just leave it in place? How do we do it? Because reporting to social media is sometimes the right answer. Reporting to law enforcement is sometimes the
30:44
right answer. Sometimes it's the wrong answer. If you report it to social media, there's a good chance it's going to get deleted. And then you're now going to have to get a warrant for them to cooperate with law enforcement. Gamify things if you can. That's more of the business setting. But anyway, when you're collecting, you've got to think
31:03
about what is the end game? Is this ethical? You're collecting on yourself. So I would say we could go ahead and check that box and say it's very ethical. Um, how do you protect what you've collected? How do you get what you've collected to go away? And then the collection swap with the trusted peer. That's what I was talking about earlier in
31:22
terms of find someone that you trust enough to do this without misusing or just basically compounding the problem. Um, find someone and then collect that information and then you may do the same for them or something to that effect. So let's move into the actual OPSEC piece. So you need to know the know thy enemy. Who
31:45
are they and why are they coming for you? I always think back to that really cheesy horror film, The Strangers, and they're like, why are you doing this to us? Because you were home. You could be a target of opportunity. You may be LGBTQIA plus. You may be a woman.
32:03
You may be a minority. You may be a Trump supporter. You may be, uh, anti-fascist. You may have said something that people consider to be bigoted as a byproduct. Someone is coming after you. They want to wreck your digital life and in some cases in real life, they
32:23
may be trying to stalk or harass you. They may be trying to inflict physical bodily harm, um, leading up to death and or rape. It could be all sorts of terrible atrocious things. So this is why it's important. You need to know your profile. Are you in a position that nation state threat actors, sorry for the thing, take a drink,
32:43
um, that they are going to come for you? What happens when they do come for you? I've got to pick up my pace a little bit here. Um, why? So if you want to opt out, here's three blog posts about opting out. I've got an opt out link, uh, curated by, uh, Micah Hoffman, web breacher on the, uh, next slide. I will make these slides
33:04
available, uh, just so that I can keep it rolling a little bit. Although, uh, I did just inadvertently get a Lady Gaga song stuck in my head because I heard someone refer to this as the paparazzi. So I got that stuck in my head. It happened to me yesterday too.
33:20
Anyway, so that's the link. If you want to get the opt out links, he has pretty good instructions for that. So secure internet usage. I'm not saying you can't use Google, I'm just saying that you might want, might not want to trust it. Use a VPN. Uh, it was brought to my attention yesterday that there is suspicion that express VPN has been influenced and possibly, uh, subverted by, uh, the Chinese government. So I'm not
33:42
endorsing that even though it's on the slide. Um, so as a byproduct, look at something else, do your own independent research. Um, and then at the conclusion of my own research, I'll adjust the slide as necessary. Um, what's your browser add ons, your extensions, your vulnerability management posture, standard cyber housekeeping. I know I just
34:00
said cyber, take a drink, consider whether you're going to use your real name or your real pictures on social media. Uh, we're dating apps. Funny story. My mom started dating for the first time in like 30 something years, a couple of years back, she came back from a date once and it was living. I was like, Oh, that good, huh? She was like, he lied. I was like about what? She's like his name. I was like, what'd you think it was?
34:23
She's like Keith stone. I was like, you obviously don't drink beer. You obviously don't watch TV because that was the time that they were doing those really corny Keith stone beer commercials. But are you in a position where you're in the public? Are you law enforcement, an executive, a public speaker, um, at your employer? Does the news come in
34:43
interviewing you about things? You know, is your email address in data breaches? Do you use the same username all over the place? So if you want to do something, here's the thing called the Streisand effect. There's the link to the GitHub repo. Basically you run it in Linux. Uh, it's a script. You input an API key. It will start a cloud
35:03
instance for you and your cloud provider of choice, whether it be AWS, Azure, digital ocean, whatever. And it will set all these things up for you to help you cut a key, all that that's going to cut your ability of subversion down drastically because the only threats you have to deal with would be the software associated and the hosting
35:21
provider, as opposed to a service provider that you don't necessarily have the transparency for because you do have root level privileges with this system. So when we talk about deception, disinformation is a type of deception and you have deception. Unless you're talking to law enforcement or in a court of law, there's no obligation to
35:43
tell the truth. And as we've learned from politicians, you might still be able to get away with not doing it then. But nevertheless, um, have your, have some fake accounts, put some things out there, see what gets picked up on. When you see things showing up in people, you should know that's when you need to get concerned on
36:01
Facebook. Consider how you're going to pay for things. Consider honeypots, honey tokens, honey email addresses, canaries, all that fun stuff. So with the disinformation, make it hard for someone to attribute something to you. For the males in here, if you, if
36:21
you're given a name as a junior or a third, you're actually at a significant advantage as long as both people with the same name don't use junior, senior, all those qualifiers. Don't use the same browser. There's a tool called browser links. Just do a search for browser links. You can emulate navigating websites from Windows 95 if you
36:43
want to. For the ideal Facebook viewing experience, that's what I do. But anyway, put fake data out about yourself. Michael Basil routinely talks about magazines. If you subscribe to you, your information is going to end up in the public. I'm not going to say where, but there are several hotels that are receiving complimentary golf
37:02
digest, Forbes, Wired, and Esquire magazines courtesy of yours truly. So only because I thought they needed it. I'm done with hotels now. So I think when I do it the next time, I'm going to do some doctor's offices because you know, they're going to cut your address out of it, your name and all that stuff. Cause they want to make it look like it was
37:20
coming to them. Um, you know, do that. If you want to run some disinformation accounts, set up some stuff, proton mail, hush mail, pseudo. The, my pseudo app is amazing. I use it all the time when people are like trying to get really Snoopy, I'll give them a phone number. I don't like, yeah, call me up. And you know, some people like when they really want, they'll be like, all right, let me
37:43
call us so I can have your number. You can still answer it. You can text from it as well. It's beautiful. Um, with social media, various levels of accuracy, have some accounts with your name and somebody else's picture or a caricature. Have some accounts that have your picture with someone else's name on it. I mean, I wouldn't
38:06
say be Keith stone or see more butts, but come up with a realistic name. You can go double false and use a fake name and a fake picture. And you can go double true if you want. Double true can be tricky though. I'm not sure I'd go that route. Final layer of the opposite. Consider a new Mexico LLC. There's some
38:26
privacy behind that. So you can use that for things that generate public records like buying a house. Do not subscribe to magazines with your LLC though. So other places of public record. If you're in a publicly traded
38:46
company and you're an exec, there's a good chance your name is going to be in SEC form 10K as well as maybe 8K and some of the others. Here's what you don't do. Don't apply for a new social. The vast majority of people do not qualify to get a new social. If you go to the
39:02
Wikipedia page for social security numbers, you will actually find a fake social, a real social that has since been retired that you could use as a fake. A wallet manufacturer in 1938, he took his secretary's social, made a copy of it and put the copy in every single wallet that was sold. So the secretary got a new social. I used to have it memorized. I think it's
39:20
like 078114420 I think. Could be wrong. Don't legally change your name because what does that do? Creates a public record. Don't avoid social media altogether because you need to have that social media account. You need to be friends with people. So if someone stands up an account posing as you and sends them a friend request, they can be like,
39:42
Hey, did you do that? When you had, did you lose your phone? I mean, I've got this one cousin, he gets hacked or loses his phone at least nine times a year. If you looked through my friends list, you would see like this guy named Fred. And it's like, man, he's got a lot of accounts. He must be really good at O-Stance. No, he's really that clumsy. But also don't take an absolute stance on anything. Law enforcement, all that
40:07
fun stuff. I'm going to skip the deceptive stuff just because of time. But here's a quick blurb about through the hacking glass. Basically, we're trying to do what academia and certifications are not geared to do experience. And here is hacker hold it, get a picture of
40:26
that real quick. And there's my contact information. I don't think we do we have time for questions? Nope. Sorry, I will field questions in the hallway. I was told I don't have time. Thank you very much.